So the masses sent spinning by the leak could not turn to ALM for advice. Most could not easily turn to their partners. Someone had to fill this enormous absence, hear grievances.
Troy Hunt, a mild-mannered technology consultant from Sydney, had not expected it would be him.
As the crisis developed he found that dozens and then hundreds of people, caught up in the event, were looking to him for help and for counsel. Hunt, who is in his late 30s, explained what happened. His expertise is
internet security; he teaches courses in it. As a side project, since 2013, he has run a free web service, HaveIBeenPwned.com, that allows concerned citizens of the internet to enter their email address, go through a simple process of verification, and then learn whether their personal information has ever been stolen or otherwise exposed in a data breach. When hackers pinched data from servers at Tesco, at Adobe, at Dominos Pizza, Hunt trawled through the data that leaked and updated his site so that people could quickly find out if they were affected. After the Ashley Madison leak he did the same.
Only this time, Hunt recalled, desperate and difficult and extremely personal messages began arriving in his inbox almost immediately. Mostly it was men who emailed paying customers of Ashley Madison who mistakenly believed that Hunt, having sifted through the leaked data, might be able to help them. Could he somehow scrub their credit cards from the list? Hunt described the tone of these emails as fearful, illogical, emotionally distraught. About a hundred emails a day arrived in that early period, Hunt recalls. Considered together they form a bleak and fascinating historical document: a clear view into the hivemind of those caught up in the leak, caught out.
People confessed to Hunt their reasons for subscribing to Ashley Madison in the first place: I joined Ashley Madison one night bored, honestly Curiosity Drunken evening They volunteered to him what theyd done, or nearly done, or hadnt done at all. They described what it was like to learn about the leak: The worst night of my life Sheer fear Sick and foolish I cant sleep or eat, and on top of that I am trying to hide that something is wrong from my wife They pleaded with Hunt (who could do nothing for them). They apologised to him (a stranger). They wondered if they should admit everything to the people who mattered to them. And they wondered what that might cost. Tell your wife and kids you love them tonight, said one email. I shall do the same, as I really dont know if I will have many more chances to do so.
Some of those who got in touch, Hunt told me, mentioned suicide. He didnt know what to do. He was a computer consultant. He sent back the numbers of telephone helplines.
Who was behind the hack? Who was the Impact Team that claimed responsibility?
Troy Hunt often wondered about that. He knew a lot about data theft at big corporations, what it tended to look like. Hunt thought this episode seemed out of character with many such hacks hed seen. The theft of such a large amount of data usually suggested to Hunt that somebody employed by the company (or someone who had physical access to its servers) was the culprit. But then, he reasoned, the subsequent leaks had been so careful, so deliberate. They came out and said: This is what were going to do. Then radio silence. And then a month later: Heres all the data. It was sinister, Hunt thought, militaristic even.
Then there was the jarring strand of moralising in the messages the Impact Team did put out. Learn your lesson and make amends was the groups advice to any of Ashley Madisons users left in pieces by their work. Not the obvious behaviour, Hunt suggested, of a revenge-minded staffer who only wanted to hurt his or her employer.
Brian Krebs made efforts to understand the hackers, too. Hed never been able to figure out who first tipped him off, but he wondered at one point if hed found a promising lead. In a detailed blog, published in late August, Krebs followed a trail of clues to a Twitter user who seemed to have suspicious early knowledge of the leak. I wasnt saying they did it, Krebs told me, I was just saying that maybe this was [a line of investigation] that deserved more attention. He didnt know if police forces investigating the case ever followed up on his lead. The Toronto force, to date, has announced no arrests. (When I asked, recently, if there had been any developments their press department did not reply.)
Krebs told me: Whoevers responsible no doubt they know that there are now lots of people wanting to put a bullet in their head. If it were me, if I was going to do something like this, I would make pretty darn sure that nobody could trace it back to me. At least in public, the Impact Team has not been heard from again.
What motivated the hackers, then? In the initial ransom note the Impact Team suggested that unseemly business practices at ALM for instance a policy of charging users to delete their accounts on Ashley Madison and then continuing to store departing users personal information on internal servers had provoked the hackers ire and justified its attack. But the mass release of private data, to make a point about the maltreatment of private data, cannot have seemed to anyone a very coherent reason for doing all this.
To try to better understand the thinking of the Impact Team I spoke to hackers who said they were not involved with the Ashley Madison attack but had kept a close eye on it. The general assumption, in this community, seemed to be that attacking a firm such as Avid Life Media (a bit shouty, a bit sleazy) was fair game. Few felt the mass release of millions of peoples personal information they called it doxing was ideal hacker etiquette though. Not sure I would have doxed 20 million people at the same time, one said. Even so they felt the saga would teach the world a useful lesson. Anyone doing
anything online, I was told, should assume it isnt secure.
One hacker I spoke to said hed spent hours and hours digging through the Ashley Madison data after the leak, going out of his way to draw attention to his most salacious findings. Speaking to me by email and in private chatrooms, he asked that I call him AMLolz, for Ashley Madison laughs. We discussed some of the findings hed made and subsequently publicised, through an
AMLolz Twitter feed and an AMLolz website. He noted with some pride that in one of his deep searches hed come across emails that suggested members of Ashley Madisons staff were themselves having extramarital affairs. He had posted screenshots of incriminating personal messages, and several magazines and newspapers had picked up on his findings and run stories.
AMLolz might not have been involved in the Ashley Madison hack, but he was certainly involved in giving it an impactful afterlife. I asked him what motivated him. Disapproval? Revenge? Because it was very humorous, he said eventually. And very interesting. No mission statement, just looking for lols.
AMLolz used the term peripheral damage more than once in conversation, neatly encompassing, in those words, all the sleepless unfaithful and their tortured other halves, the newly unemployed, the dead, their doubly grieving widows. I asked AMLolz what he would tell one of these peripherally damaged if he were to meet them in person.
He replied: It would depend what they had to say to me first. [Smiley face.] That being said, something along the lines of: Own your actions. Dont lie to yourself, or anyone else Its not good. [Thoughtful face.]
In the west of England, Michael could hardly disagree with this. Even as he sat in his home office, reading the developing news about Ashley Madison and wondering if his wife was doing the same, he was well aware of his own culpability. He didnt think he had anyone else to blame but himself. Who was he really going to blame? Ashley Madison? I think it would probably be a little naive of me to expect high standards from a company that was promoting itself as a meeting point for people looking for adulterous affairs. Its a bit like borrowing money off your drug dealer and expecting him to pay it back. Michael simply accepted what was going on and watched, with a numb fascination, as the crisis rolled on.
In August, the private detective industry reported, cheerfully, an uptick in business. Lawyers steered high-publicity legal actions against Ashley Madison at least three plaintiffs in America wanted to sue as well as seeing through quieter divorce claims. In Australia a DJ decided to tell a woman live on air that her husband was on the database. Members and former members began to be sent anonymous extortion letters. Michael received several. Pay us in seven days, he was threatened in one email, or you know what will happen You can inform authorities but they cant help you. We are porfessionals [sic]. Michael was unnerved by the emails but ignored them. The world, in these small increments, got shabbier.
Like Troy Hunt in Australia,
Kristen Brown, in California, found herself operating as a sort of on-the-go counsellor during these strange months. For Brown, a 29-year-old journalist, it began when she started interviewing victims of the Ashley Madison leak for the website Fusion.net. Interviewees kept wanting to talk, though, long after shed published a lot of these people, Brown guessed, left without anyone else they could speak to frankly. I was basically functioning as a therapist for them. They were crushed by what happened. Brown guessed shed spoken to about 200 of those affected by the hack over the past six months.
To an unusual degree, Brown thought, a tone of moral judgment skewed the commentary and discussion around the Ashley Madison affair. Its a gut reaction, to pass a moral judgement, she said. Because nobody likes the idea of being cheated on themselves. You dont want to find your own partner on Ashley Madison. But spending hours and hours on the phone with these people, it became so clear to me how frigging
complicated relationships are.
Maybe we need privacy disasters like this to help us wake up: Brian Krebs, the cybercrime journalist who broke the Ashley Madison story in July 2015. Photograph: Daniel Rosenbaum/New York Times/Redux/Eyevine
Brown continued: We all have this idea of the site as completely salacious, right? Cheating men cheating on their unassuming wives. And I did speak to those men. But then I spoke to others whod, say, been with their wife since they were 19 they loved their wives but there were problems, there were kids, theyd stopped sleeping together. They had good partnerships, their lives worked, they didnt want to upend everything. They just werent fulfilled or satisfied romantically. Some people were on the site with the permission of their spouses. I talked to one woman who was afraid to leave her husband, and being on Ashley Madison was her way of working out what to do. Some people I spoke to were single and didnt want attachment and using Ashley Madison was just a
way. Peoples reasons were complex. They were real.
This, more or less, had always been Michaels reasoning for cheating. His situation was complex, and real. He told me he had been unfaithful to his wife from after we first got married, conducting a string of one-off or months- or years-long affairs for almost 30 years. As life partners, my wife and I fit really well. We are very, very good friends that describes us. But I know theres a missing dimension to our relationship.
Ashley Madison was a way to try to account for that missing dimension.
And not always, said Michael, a particularly satisfying way. He wasnt even sure that every woman he spoke to during his time on the site was genuine. Sometimes, when conversation had a flavour of classic soft porn, he said, he wondered if his correspondents were employees of the company, reading from scripts. (The likely truth, as suggested by internal documentation made available in the leak, was stranger still. Coders at Ashley Madison had created a network of fake, flirtatious chatbots to converse with men like Michael, teasing them into maintaining their subscriptions on the site. It was for this reason that commentators began to doubt whether Ashley Madison had as many subscribers as it advertised; Avid Life Media, ever since the leak, has always claimed to have a healthy and even growing userbase.)
Michael had met someone real through Ashley Madison. Like him she was in a stable companionable marriage, only one that lacked a certain dimension. She lived in the north of England. She had children. She and Michael shared tastes in books and spoke a lot on the phone. Sometimes they discussed their partners and their respective marriages, other times they steered from the subject. There was a sexual element to the affair, Michael said, but they never slept together. It was a relationship that was precious to him.
If youre going to chat a woman up in a bar, or at a work conference, or wherever, Michael told me, then: Hello, Im married is not a good opening line. Whereas if youre going on to a website like Ashley Madison they know. Its a bit ridiculous to talk about honesty in terms of these relationships. But they actually start with honesty. Because youre not pretending to be something youre not.
Ashley Madison was a way of having a safe affair, he said. Safe in the sense that he didnt think it likely hed be found out by his wife (he had his special browser, his secret email address). Also safe in the sense that he didnt think anyone would get hurt.Since the leak Michael had not used Ashley Madison again nor spoken to the woman in the north. His wife, as of February 2016, had not found out about his affairs.
The hack of Ashley Madison was historic the first leak of the online era to expose to mass view not passwords, not pictures, not diplomatic gossip, not military secrets, but something weirder, deeper, less tangible. This was a leak of desires.
I think that historys probably littered with examples of madams whose little black book went walking, you know what I mean? said Brian Krebs. But this was massive, en masse, on the internet. Who knows? Maybe we need privacy disasters like this to help us wake up.
Kristen Brown thought it was important to take away a different instruction from the saga. That marriage is not one thing, and that the millions of users of Ashley Madison very likely had millions of different reasons for being on there. Theres a vibe between two people that cant be quantified. How to say what the right path is for any one pair?
Relationships are fucking weird. And they get weirder the longer they go on.
In London recently I met with Troy Hunt. Hed flown in from Australia to teach a corporate course on internet security. We had lunch between morning and afternoon sessions in his classroom in Canary Wharf. While we ate Hunt showed me his phone another email had just come in from someone requesting his help. Six months had gone by since the leak; the flow of desperate messages had slowed but not stopped.
Hunt responded to this email the way he always did now, sending back a prewritten response that included a list of answers to frequently asked questions about the hack. Also that list of hotline numbers.
When wed finished eating his teaching resumed. Two dozen people filed into the room with their laptops and sat quietly while Hunt lectured them about cyber security. Hed worked a contemporary lesson into his speech, and projecting an image of a now-infamous website on to a screen behind him, he said to the class: Put up your hand if any of you have an account with Ashley Madison.
A nervous laugh went around the room. Nobody put up their hand.